February 25, 2004

Sendmail takes sender authentication seriously

Author: Jackie Lightfield

Sendmail, Inc., which claims that more than 60% of the world's email traffic runs on its messaging servers, announced Monday that it is developing and promoting sender authentication technologies that are designed to prevent email address spoofing, forging and email fraud. The open source technology will follow Sendmail's plug-in

Sendmail plans to test many mainstream sender authentication schemes in
order to figure out which ones, or which combinations, are effective at
reducing or eliminating unwanted email messages. Once a set of
effective schemes is identified, Sendmail plans to release plug-ins for
both the open source sendmail Mail Transfer Agent (MTA) and Sendmail's
commercial email message products. Testing is currently taking
place and will continue through the second quarter, with an expected
release of the open source plug-ins sometime in the third quarter. Sendmail's Todd
Blaschka said, "Our approach is that these schemes
will remain invisible to the end user. There is no 'winner take all' from
the OS or applications perspective as to what scheme becomes dominant."

One of the first schemes receiving Sendmail's attention is
which Yahoo! announced late last year as a way to combat spoofed email.
The DomainKey scheme uses public/private key cryptography as its
authentication method. DomainKeys digitally signs an outgoing email
message with a private key. The system receiving the message uses
public key data to validate the message and allow it through.

Sendmail plans to test the Yahoo! DomainKeys scheme with a variety of
open standards in efforts to help a more rapid adoption across the
Internet in through the second quarter. At this time Sendmail is
uncertain about how the release schedule will look, but the plan is to
release an open source package that will enable other email systems to
generate and validate the DomainKeys authentication information, as
well as the other schemes when Sendmail has determined they are
effective and ready for release.

Sendmail also endorsed Microsoft's Caller ID for E-mail technology, which Bill Gates announced yesterday. Sendmail will develop an open source plug-in based on Microsoft's Caller ID spec. Caller ID is designed to perform an IP check of the email header
against a published text record in the domain's DNS record. George
Webb, Microsoft's group business manager, anti-spam technology and strategy team,
explained, "We took one year of development before we released the
spec, working outside of Microsoft and with feedback with other
partners. The whole goal is to solve the spam problem, which requires
teamwork and partnership. Signature-based and IP-based solutions are
both promising and complementary as part of a long-term solution."

The Caller ID pilot test includes outbound mail passing through
Microsoft.com, Amazon.com, and Hotmail.com, as well as
Sendmail. Inbound Caller ID tests are scheduled for early
summer. Microsoft declined to reveal whether it will be incorporating
other sender authentication schemes in its products.

Sendmail has chosen not to test Sender Policy
(SPF), another popular sender authentication scheme SPF is an extension to the SMTP standard that requires MX
records to add SPF protocol information which checks DNS to see if the
originating IP address on the message comes from the originating
domain. This sender authentication scheme provides a way for MTAs to
verify that an email message came from where it claims to have come
from before moving it to users' inboxes.

"Anything done to fight spam is a good thing, " said Mark Levitt, vice president
for collaborative computing at IDC. "Winning the war on spam will take
many players on many different levels cooperating with service
providers and users. There is no wrong way to fight spam, and it will
take a coordinated effort, the challenge being to take the money out of
spam, and make it harder to do business as spammers."

Sender authentication will not solve the spam problem alone,
Levitt concedes, "but it's a welcome sharing of technology that is a good step
to dedicate product strategies towards fighting spam instead of
commercializing products."

Sender authentication technology will be just one on many ways to
combat spam alongside legislative efforts, other technologies, and user
education, Levitt said.


  • Enterprise Applications
Click Here!